Episode: 112
Title: HPR0112: SSH Tunnelling
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0112/hpr0112.mp3
Transcribed: 2025-10-07 11:35:43

---

Music
Okay, and welcome back to the JWP Linux podcast.
I'm hoping everything is okay with you all.
I'd like to continue the SSH note that we had before
and talk a little bit about SSH tunneling.
And SSH tunnel is sometimes referred to as VPN,
is an encrypted network tunnel created through an SSH connection.
SSH is frequently used to tunnel insecure traffic
over the internet and a secure way.
For example, Windows machines can share files using the SMB protocol
which is not encrypted.
If you want to mount a Windows file system remotely through the internet,
someone snooping the connection could see your files
to mount them to mount an SMB file system securely.
One can establish an SSH tunnel that routes all SMB traffic
through a file server inside a SSA encrypted connection.
Even though SMB traffic itself is insecure
because it travels within an encrypted connection,
it becomes secure.
In order to create an SSH tunnel,
SSH client is configured to forward a specific specified remote port
and IP address that is accessible on the SSH server
to a port on a local machine.
Once the SSH connection has been established,
the user can connect to the specified port
in a local address to the network services
that would otherwise be available only on the remote IP address
and port.
The SSH tunnel provides a means to bypass firewalls,
the prohibited certain internet services,
and provide outgoing connections allowed on port 22 are allowed.
For example, many institutions have prohibited users from accessing web pages,
port 80 without directly first being examined by a proxy
slash shelter device.
However, if users are able to connect to an external SSH server,
it is possible for them to create an SSH tunnel
for port 80 on an external web server to give a port
probably on port 80 on a local machine,
and thus the web page by typing HTTP
forward slash forward slash local hosts in the browser.
More commonly, users may set up their own proxy server in home
using free software such as Squid
and construct a tunnel from their workstation to the proxy
next by configuring their local browser to a local host
rather than a corporate proxy server, users can access any web page
they want by bypassing their company's filters and firewalls.
Another method to use dynamic port forwarding, which creates
a local socks for slash 5 proxy server can be used to connect effectively creating
an encrypted tunnel to a remote SSH server.
The user can then configure his or her applications to use socks,
a proxy server, usually bypassing systems or firewalls.
Okay, boys and girls, we're not saying that it's okay to do that at work
or whatever, but a lot of people in China do that exactly
what was just robbed so that they can see CNN or anything else.
So doing it on port 80 isn't good.
You know, you can do that. It's not hard.
You set up a shell account somewhere.
You open up a browser board and port 80 in the Netscape
and it works just fine. Okay.
Okay, moving away from the Wiki to an article by Brian Hatch
that was published the 1st of June, 2005.
The making of an SSH is...
it's a good thing. You know, tunnels can be created anytime
with almost no effort and no programming, which makes it very appealing.
SSH forwarding will look at a little bit more in detail.
It's often useful but misunderstood technology.
SSH forwarding can be used to secure communications in a
major of different ways.
For instance, local forward example, say you have a mail
client on your desktop and you currently use it to get
a mail from your pop server
on port 110. You may want to protect your pop server connection
for several reasons such as keeping your password from going across the line
and clear or just to make sure no one's sniffing your email
you're downloading. Normally your email client will establish a
TCP connection to the server on port 110 and supply your username and password.
You can try this yourself using telnet or
NC command. You type in whatever the username is at
desktop NC mail server 110
and it starts going and it says
let's you get all your stuff.
For instance, you can say again
username at desktop, dollar sign, NC mail server 110
and the response is ok, super duper pop 3 mail server
parenthesis mail server.mysp.net ready
and then user whatever that user is
pass its 20s
ok user sexually log on the list
and that's plus ok 48, 142, 0, 2, 4, 3, 1,
1689, 2, 1359, 3, 59, 509,
409, 47, 38 and then you type quit
and this is ok super duper mail server currently signing off
and the user name desktop at dollar sign
we can wrap this TCP connection inside a SSH
connection using SSH port forwarding. If you have SSH on the machine to access
that offers your service
pop 4110 in this case, then SSH to it. If you don't
you can SSH to a server on the same network
if the network is trusted and use SSH instead.
Example user name desktop dollar sign
NC localhost 999 connection was used.
SSH minus L999 colon mail server
colon 110 shell server
you put in your password
you tap in the host name, the shell server
and then it's done. Before we connect
to the shell server with SSH nothing was listening
we need nothing was listening on port
999 in our desktop. Once we logged on to the mail server
with our tunnel this port was bound by SSH process and the TCP
connection to local port 9999 was magically
tunneled through the SSH on the other side. Let's describe how this works
you launch the slash user
slash bin slash SSH and SSH command line
SSH client logs on to their remote machine using whatever authentication method
password, public key, etc. The SSH client binds
the local port to this specified port which was 9999
on the loop back interface on
12.7.0.0.1 and
you can do anything on the remote machine you want. Tard up some files right
some users delete, etc.
Interactive login. When the connection process connects to port
999 on the client machine the slash user slash bin slash SSH client
accepts the connection. The SSH client informs the server
over encrypted channels to create a connection to the destination
in this case mail port 110. The SSH client
takes any bits sent to port 999 and
sends them to the server inside the encrypted session
who decrypts them and sends them in the clear to the destination 110
mail server. The server takes any bits from the destination server
mail servers port 110 and sends it from inside the SSH
client decrypts it in the clear. When this connection is closed to either point
is turned down inside the SSH connection as well.
Okay so that's basically how it works.
It sounds a little bit complex to me
but it works pretty good. So let's assume that the
mail server has SSH there. So you would say
SSH minus V minus capital L space
999 colon mail server colon 110
space shell server.
And then it would read the configuration data in
Etsy slash SSH slash SSH config
reho authentication disabled. The original port will not be trusted connecting to
the shell server at IP port
296.62.257.251
on port 22 connections established.
Identify the file at slash home slash PRI
slash space dot SSH slash identity type 0
identify file slash home slash
BRI slash space dot SSH
ID underscore RSA type 1 identify file slash
home slash PRI slash SSH slash ID
type 2.
Okay next authentication method password
user name shell server password, the internet
and then authentication succeeded password
communications to local port
99942 remote address port
local post colon 110
dot 0 dot 0 1 port 999
channel 0
new client session interactive session
request PTY required request shell
as you can see there's a brief mention of port 9999
being bound and available for tumbling.
We haven't made the connection to this port yet so the tunnel is not yet active
you can use the special character number escape sequence
to see the connections in use. The sequence only works with character
charge return so hit enter a few times before trying it.
Enter enter special character number. The following connections are open
number one client minus session
parentheses T4 R0 I0
slash 0 little 0 big 0
slash O
space FDE
space F slash 6 closed parentheses.
There's only one connection on your actual SSH section from what you're typing
those Linux commands. Now in a different window if we do tell
that to local host 999 we'll open a new connection through the tunnel and we can see it from our SSH
using the special character
number sign. Okay so
here we are we press enter and use the strange and usual character that's beside the one
above the apostrophe.
The following connections are open.
The client session TR4.0
I've done that thing before so we're not going to do that again.
This is direct tcip listing port 999 from mail server port 110
connect from 27.0.1 port
42789
and then it has a parentheses T4
slash 0 slash 0 FDE slash 8
you can see that we now have both have an SSH section and we're both using
the plus tunnel and the second entry. If it tells you
all you need to know about the connection from the same machine
from the same machine which we can look up with nets that
or LS OF if we're curious about the output.
Okay so that's about it for port forwarding
I hope to do it with a browser one time
to really do it and then do step by step to see if I can really get far fox
to do it through a proxy.
Alright y'all take care and have a nice day now.
Thank you for listening to Half Republic Radio
sponsored by Carol.net
so head on over to C-A-R-O-DOT-A-C for all of the team
you